| |||||||||||
Trustix alert 2002-0053 (bzip2)From: tsl@trustix.com (Trustix Secure Linux Advisor) To: tsl-announce@trustix.org Subject: TSL-2002-0053 - bzip2 Date: Thu, 6 Jun 2002 16:02:48 +0200 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Bugfix Advisory #2002-0053 Package name: bzip2 Summary: Minor security fix. Date: 2002-06-06 Affected versions: TSL 1.1, 1.2, 1.5 - -------------------------------------------------------------------------- Problem description: The FreeBSD-project have found several minur security-releted bugs in the bzip2 sourcecode. They say the following about the bugs: 1) Files may be inadvertently overwritten without warning. 2) Due to the race condition between creating files and setting proper permissions, a local user may be able to read the contents of files regardless of their intended permissions. 3) Decompressed files that were originally pointed to by a symbolic link may end up with in incorrect permissions, allowing local users to view their contents. Although we don't regard any of this as critical bugs, we have upgraded the packages to fix this problem. Action: We recommend that all systems with this package installed are upgraded. Location: All TSL updates are available from <URI:http://www.trustix.net/pub/Trustix/updates/> <URI:ftp://ftp.trustix.net/pub/Trustix/updates/> Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Get SWUP from: <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/> Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at <URI:http://www.trustix.net/pub/Trustix/testing/> <URI:ftp://ftp.trustix.net/pub/Trustix/testing/> Questions? Check out our mailing lists: <URI:http://www.trustix.net/support/> Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.net/TSL-GPG-KEY> The advisory itself is available from the errata pages at <URI:http://www.trustix.net/errata/trustix-1.2/> and <URI:http://www.trustix.net/errata/trustix-1.5/> or directly at <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0053-bzip2.asc.txt> MD5sums of the packages: - -------------------------------------------------------------------------- d41d4a00fb24e8d2885ea29bd9ec566c ./1.5/SRPMS/bzip2-1.0.2-2tr.src.rpm 7a6930bf2eeebc0824ba4724c2e398a8 ./1.5/RPMS/bzip2-1.0.2-2tr.i586.rpm d41d4a00fb24e8d2885ea29bd9ec566c ./1.2/SRPMS/bzip2-1.0.2-2tr.src.rpm b9048210c791b5abf9a493b3b2a31e3a ./1.2/RPMS/bzip2-1.0.2-2tr.i586.rpm d41d4a00fb24e8d2885ea29bd9ec566c ./1.1/SRPMS/bzip2-1.0.2-2tr.src.rpm 29bd1e32daca8eaee3cf39891a0e067f ./1.1/RPMS/bzip2-1.0.2-2tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8/zi3wRTcg4BxxS0RAqK9AJ97D4+iAcLpNgsCY6q+ml2JOMs1JgCcDjPy F6WT9PN2HbKxxewYz+UmIl0= =5Wif -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list tsl-announce@trustix.org http://www.trustix.org/mailman/listinfo.cgi/tsl-announce (Log in to post comments)
|
|||||||||||